tencent cloud

Feedback

Configuring Security Groups

Last updated: 2024-01-18 17:23:30

    Overview

    Security group serves as a stateful virtual firewall with filtering feature for configuring network access control for one or more TencentDB instances. It is an important network security isolation tool provided by Tencent Cloud. Instances with the same network security isolation demands in one region can be put into the same security group, which is a logical group. TencentDB and CVM share the security group list and are matched with each other within the security group based on rules. For specific rules and limitations, see Security Group Overview.
    Note:
    TencentDB for SQL Server security groups currently only support network access control for VPCs and public network but not the classic network.
    As TencentDB doesn't have any active outbound traffic, outbound rules don't apply to it.
    TencentDB for SQL Server security group supports primary and read-only instances.

    Configuring a security group for TencentDB

    Step 1. Create a security group

    1. Log in to the CVM console.
    2. Select Security Group on the left sidebar, select a region, and click Create.
    3. In the pop-up window, set the following configuration items, confirm that everything is correct, and click OK.
    Template: Select a template based on the service to be deployed on the TencentDB instance in the security group, which simplifies the security group rule configuration. The configuration is shown in the table below:
    Template
    Description
    Applicable Scenario
    Open all ports
    All ports are opened to the public and private networks by default. This may pose security issues.
    ‌-
    Open ports 22, 80, 443, and 3389 and the ICMP protocol
    Ports 22, 80, 443, and 3389 and the ICMP protocol are opened to the public network by default. All ports are opened to the private network.
    This template doesn’t take effect for TencentDB.
    Custom
    You can create a security group and then add custom rules. For detailed directions, see "Step 2. Add a security group rule" below.
    ‌-
    Name: Custom name of the security group.
    Project: Select a project for easier management. By default, DEFAULT PROJECT is selected.
    Remark: A short description of the security group for easier management.

    Step 2. Add a security group rule

    1. On the Security Group page, click Modify rule in the Operation column on the row of the security group for which to configure a rule.
    2. On the security group rule page, click Inbound rules > Add rule.
    3. In the pop-up window, set the rule.
    Type: Custom is selected by default. You can also choose another system rule template. SQL Server(1433) is recommended.
    Source: Traffic source (inbound rules) or target (outbound rules). You need to specify one of the following options:
    Source or Target
    Description
    A single IPv4 address or an IPv4 range
    In CIDR notation, such as 203.0.113.0, 203.0.113.0/24 or 0.0.0.0/0, where 0.0.0.0/0 indicates all IPv4 addresses will be matched.
    A single IPv6 address or an IPv6 range
    In CIDR notation, such as FF05::B5, FF05:B5::/60, ::/0 or 0::0/0, where ::/0 or 0::0/0 indicates all IPv6 addresses will be matched.
    ID of referenced security group. You can reference the ID of:
    Current security group
    Other security group
    Current security group indicates the CVM associated with the security group.
    Other security group indicates the ID of another security group under the same project in the same region.
    
    Reference an IP address object or IP address group object in a parameter template.
    ‌-
    Protocol Port: Enter the protocol type and port range or reference a protocol/port or protocol/port group in a parameter template.
    Note:
    To connect to TencentDB for SQL Server, port 1433 must be opened.
    Policy: Allow or Reject. Allow is selected by default.
    Allow: Traffic to this port is allowed.
    Reject: Data packets will be discarded without any response.
    Remark: A short description of the rule for easier management.
    4. Click Complete.

    Use cases

    Scenario: You have created a TencentDB for SQL Server instance and want to access it from a CVM instance. Solution: When adding security group rules, select SQL Server(1433) in "Type" to open port 1433. You can also set Source to all or specific IPs (IP ranges) as needed to allow them to access TencentDB for SQL Server from a CVM instance.
    Inbound or Outbound
    Type
    Source
    Protocol and Port
    Policy
    Inbound
    SQL Server: 1433
    All IPs: 0.0.0.0/0
    Specific IPs: Specify IPs or IP ranges
    TCP:1433
    Allow

    Step 3. Configure a security group

    A security group is an instance-level firewall provided by Tencent Cloud for controlling inbound traffic of TencentDB. You can associate a security group with an instance when purchasing it or later in the console. The operations for configuring security groups in two scenarios are as detailed below:
    Note:
    Currently, security groups can be configured only for TencentDB for SQL Server instances in VPC.

    Scenario 1: Associate a security group with an instance when purchasing it

    After the security group is created, you can associate a security group with an instance when purchasing it, and also you can quickly locate the target group by multiple selection and fuzzy search.
    2. Click the parameter Security Group>Existing Security Group, and select the target security group in the box. Multiple selection and fuzzy search are supported for quickly locating the target group.
    
    
    3. After setting all the parameters, click Buy Now.
    Note:
    You can delete the redundant associated security groups after selecting multiple of them. At least one security group is reserved by default.
    
    

    Scenario 2: Associate a security group with an instance after purchasing it in the console

    1. Log in to the TencentDB for SQL Server Console. In the instance list, select the instance for which to configure a security group and click Manage in the "Operation" column to enter the instance management page.
    2. Select Security Group tab, and click Configure Security Group.
    3. In the pop-up dialog box, select the security group to be bound and click OK.

    Importing security group rules

    1. On the Security Group page, click the ID/name of the target security group.
    2. On the inbound rule or outbound rule tab, click Import rule.
    3. In the pop-up window, select an edited inbound/outbound rule template file and click Import.
    Note:
    As existing rules will be overwritten after importing, we recommend that you export the existing rules before importing new ones.

    Cloning a security group

    1. On the Security Group page, locate the desired security group and click More > Clone in the Operation column.
    2. In the pop-up window, select the target region and project and click OK. If the new security group needs to be associated with a CVM instance, do so by managing the CVM instances in the security group.

    Deleting a security group

    1. On the Security Group page, find the security group to be deleted and click More > Delete in the Operation column.
    2. In the pop-up window, click OK. If the current security group is associated with a CVM instance, it must be disassociated first before being deleted.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support